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CRYPTOGRAPHIC CO-PROCESSOR 

CROSS-REFERENCE TO RELATED APPLICATIONS 

This application is based on U.S. Provisional Patent Application Serial Nos. 
60/059,082, 60/059,839, 60/059,840, 60/059,841, 60/059,842, 60/059,843, 
60/059,844, 60/059,845 and 60/059,847, each of which was filed on September 
16, 1997, the disclosures of which are incorporated herein by reference. 

COPYRIGHT NOTICE 
A portion of the disclosure of this patent document contains material which 
is subject to copyright protection. The copyright owner has no objection to the 
facsimile reproduction by anyone of the patent disclosure, as it appears in the 
Patent and Trademark Office patent files or records, but otherwise reserves all 
copyright rights whatsoever. 

BACKGROUND OF THE INVENTION 

Field Of The Invention 

The present invention relates generally to a secure communication platform 
on an integrated circuit, and more particularly relates to a digital signal processor 
(DSP) with embedded encryption security features. 

Description Of The Prior Art 

Digital signal processors (DSPs) are widely used in devices such as 
modems, cellular telephones and facsimiles. With an increase in digital 
communications, data transmission security has become an issue in numerous DSP 
applications. A standard DSP is not capable of providing data transmission 
security; thus, additional hardware and software are required. 
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Security for digital communications is available on various integrated 

circuits. The integrated circuit security features include hardware implemented 

encryption algorithms such as the Data Encryption Standard (DES), Hash function 

algorithms and hardware implemented public key accelerators. The availability of 

this hardware makes it possible to provide security for distributed computing; 

however, no hardware implemented encryption algorithms have been known to be 

incorporated in a DSP. 

Software encryption algorithms have also been developed to provide 

security for distributed computing. One commonly used encryption algorithm is 

the Data Encryption Standard (DES). DES is a block cipher which operates on 

64-bit blocks of data and employs a 56-bit key. Another commonly used standard 

is the Digital Signature Algorithm (DSA). The DSA standard employs an 

irreversible public key system. These algorithms and more are part of the public 

domain and are available on the Internet. 

Hash function algorithms are used to compute digital signatures and for 

other cryptographic purposes. One Hash function algorithm is the U.S. 

government's Secure Hash Algorithm (SHA-1). 

Another security standard commonly used is the Internet Protocol Security 

Standard (JPsec). This standard provides security when communicating across the 

Internet. The standard requires DES to encrypt an Internet Protocol data packet, 

SHA-1 for authentication, and a public key algorithm for hand-shaking. 

Since the IPsec standard requires different encryption algorithms, a 

software library is usually created so that a desired algorithm may be accessed 

when needed. Security systems employing encryption libraries are software 

implemented and designed specifically to run on the user's processor hardware. 

Digital communication systems are not generally designed with security 

hardware. In most systems, security is achieved by software, such as described 

above, which is not entirely secure because there is no security hardware to block 

access to the security software by an intruder. Another problem associated with 

software encryption algorithms is that some of the software encryption algorithms 

run slower than when hardware implemented. 

2 
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OBJECTS AND SUMMARY OF THE INVENTION 

It is an object of the present invention to provide a digital signal processor 
with embedded security functions on a single integrated circuit. 

It is another object of the present invention to provide a secure 
communications platform that can implement a user's application and dedicate 
cryptographic resources to encryption and decryption requests on demand. 

It is another object of the present invention to provide an increase in 
encryption security through hardware implementations. 

It is another object of the present invention to provide a security co- 
processor for high speed networking products such as routers, switches and hubs. 

A cryptographic co-processor constructed in accordance with one form of 
the present invention includes a processor having encryption circuits built into it. 
The processor is capable of processing various applications, such as modem and 
networking applications. The encryption circuits and firmware make it possible to 
add security to the various processing applications. Hardware such as encryption 
and hash circuits are provided and structured to work together to provided 
accelerated encryption/decryption capabilities. A memory is programmed with 
cryptographic algorithms that support various encryption/decryption techniques. 
The cryptographic co-processor is structured so that a manufacturer of data 
communication products could substitute a current processor with the 
cryptographic co-processor and receive encryption capabilities with little 
modification to the existing product. 

Since DSP's are the building block of many communication systems, a 
secured DSP with universal security features that may be selected by the 
manufacturer of the equipment in which the DSP forms part of would have far 
ranging benefits. 

The benefits of a universal cryptographic co-processor (e.g., DSP) is that it 

can perform standard processor functions and standard encryption functions with 

no peripheral hardware or cryptographic software. Because the cryptographic co- 

3 
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processor is implemented on a standard processor platform (i.e., substrate or 
monolithic chip), the processor that is being used in a manufacturer's product can 
be substituted with the cryptographic co-processor with little or no modification to 
the original design. The manufactured product incorporating the secure, universal 
co-processor now has encryption capabilities along with the original processor 
capabilities. 

A preferred form of the cryptographic co-processor, as well as other 
embodiments, objects, features and advantages of this invention, will be apparent 
from the following detailed description of illustrated embodiments, which is to be 
read in connection with the accompanying drawing. 

BRIEF DESCRIPTION OF THE DRAWING 



Figure 1 is a block diagram of the cryptographic co-processor formed in 
accordance with the present invention. 

Figure 1 A is a block diagram similar to Figure 1 showing another view of 
the cryptographic co-processor of the present invention. 

Figure 2 is a block diagram of the program memory preferably used in the 
co-processor of the present invention for MMAP=0. 

Figure 3 is a block diagram of the program memory preferably used in the 
co-processor of the present invention for MMAP=1. 

Figure 4 is a block diagram of the data memory preferably used in the co- 
processor of the present invention. 

Figure 5 is a block diagram of the PCI memory preferably used in the co- 
processor of the present invention. 

Figure 6 is a block diagram of the DMA subsystem preferably used in the 
co-processor of the present invention. 

Figure 7 is a block diagram of the DSP "local" memory preferably used in 
the co-processor of the present invention. 

Figure 8 is a flow chart showing the DMA control preferably used in the 
co-processor of the present invention. , 
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Figure 9 is a block diagram of the hash/encrypt circuit preferably used in 
the co-processor of the present invention. 

Figure 10 is a block diagram of the interrupt controller preferably used in 
the co-processor of the present invention. 

Figure 1 1 is a block diagram of the CGX software interface preferably used 
in the co-processor of the present invention. 

Figure 12 is a block diagram illustrating the layers of software preferably 
used in the co-processor of the present invention 

Figure 13 is a block diagram of the CGX overlay interface preferably used 
in the co-processor of the present invention. 

Figure 14 is a block diagram illustrating the hierarchical interface of the 
CGX kernel cryptographic service preferably used in the co-processor of the 
present invention. 

Figure 15 is a functional state diagram illustrating the CGX kernel 
preferably used in the co-processor of the present invention. 

Figure 16 is a functional tree diagram showing the KEK hierarchy 
preferably used in the co-processor of the present invention. 

Figure 17 is a block diagram of a symmetric key weakening algorithm 
preferably used in the co-processor of the present invention. 

Figure 18 is a functional tree diagram showing the symmetric key hierarchy 
preferably used in the co-processor of the present invention. 

Figure 19 is a portion of a computer program defining the PCDB data type 
preferably used in the co-processor of the present invention. 

Figure 20 is a block diagram of the kernel block preferably used in the co- 
processor of the present invention. 

Figure 21 is a portion of a computer program defining the kernel block 
preferably used in the co-processor of the present invention. 

Figure 22 is a portion of a computer program defining the command block 
preferably used in the co-processor of the present invention. 
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Figure 23 is a portion of a computer program defining the secret key object 
preferably used in the co-processor of the present invention. 

Figure 24 is a portion of a computer program defining the public keyset 
preferably used in the co-processor of the present invention. 

Figure 25 is a portion of a computer program defining the Diffie-Hellman 
public keyset preferably used in the co-processor of the present invention. 

Figure 26 is a portion of a computer program defining the RS A public 
keyset preferably used in the co-processor of the present invention 

Figure 27 is a portion of a computer program defining the DS A public 
keyset preferably used in the co-processor of the present invention. 

Figure 28 is a portion of a computer program defining the DSA digital 
signature preferably used in the co-processor of the present invention. 

Figure 29 is a portion of a computer program defining the DSA seed key 
preferably used in the co-processor of the present invention 

Figure 30 is a portion of a computer program defining the key cache 
register data type preferably used in the co-processor of the present invention 

Figure 3 1 is a portion of a computer program defining the symmetrical 
encryption context store preferably used in the co-processor of the present 
invention. 

Figure 32 is a portion of a computer program defining the one-way hash 
context store preferably used in the co-processor of the present invention. 

Figure 33 is a portion of a computer program defining one example of the 
CGX wrap code and command interface preferably used in the co-processor of the 
present invention. 

Figure 34 is a portion of a computer program defining the CGX overlay 
table preferably used in the co-processor of the present invention 

Figure 35 is a portion of a computer program defining the KCS object 
preferably used in the co-processor of the present invention 
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1. A cryptographic co-processor comprising: 
a processing unit for processing data; 

a read only memory electronically linked to the processing unit and 
including a masked programmed cryptographic library of encryption algorithms; 
and 

an encryption processor for encrypting data, the encryption 
processor and the processing unit being situated on the same platform. 

2. A cryptographic co-processor comprising: 

a digital signal processor having a memory associated therewith; 
a cryptographic library having user selectable encryption algorithms 
masked programmed into the memory; and 

security hardware embedded within the digital signal processor. 

3 . A cryptographic co-processor as defined by Claim 2, wherein the 
security hardware includes an encryption circuit, the encryption circuit 
electronically linked to the digital signal processor and performing encryption and 
decryption functions. 

4. A cryptographic co-processor as defined by Claim 2, wherein the 
security hardware includes a HASH circuit, the HASH circuit being electronically 
linked to the digital signal processor and performing HASH functions. 

5 . A cryptographic co-processor as defined by Claim 2, wherein the 
security hardware includes a public key accelerator circuit, the public key 
accelerator circuit being electronically linked to the digital signal processor and 
performing arithmetic functions. 

6. A cryptographic co-processor as defined by Claim 2, wherein the 
security hardware includes a random number generator, the random number 
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generator being electronically linked to the digital signal processor and generating 
random numbers used for encryption purposes. 

7. A cryptographic co-processor as defined by Claim 1, which further 
comprises: 

a laser trimmed memory, the laser trimmed memory being 
electronically linked to the processing unit and having stored therein a master key 
used by the cryptographic co-processor, the master key being programmed into the 
memory by laser trimming. 
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8. A cryptographic service software embodied in at least one of a hard 
disc, a floppy disc and a read-only memory (ROM), the cryptographic service 
software electronically communicating and being compatible with a standard 
operating system of a computer, the operating system having an application space and 
a kernel space, the cryptographic service software performing cryptographic services 
at the kernel space of the operating system, which comprises: 

a generic layer including a kernel space level program interface; and 
a cryptographic service module having a library of encryption 

algorithms, the module electronically communicating and cooperating with the 

program interface. 

9. In combination, a first cryptographic service software embodied in at 
least one of a floppy disc and a read only memory (ROM), the first cryptographic 
service software electronically communicating and being compatible with a standard 
operating system of a computer, the operating system having an application space and 
a kernel space, the cryptographic service software performing cryptographic services 
at the application space of the operating system, the cryptographic service software 
comprising an application program interface, and a first cryptographic service module, 
the first cryptographic service module having a library of encryption algorithms, the 
first cryptographic service module electronically communicating and cooperating with 
the application program interface; and 

a second cryptographic service software embodied in at least one of a 
floppy disc and a read only memory (ROM), the second cryptographic service 
software electronically communicating and being compatible with the operating 
system of the computer, the second cryptographic service software performing 
cryptographic services at the kernel space of the operating system, the second 
cryptographic service software including a kernel space level program interface, and a 
second cryptographic service module, the second cryptographic service module 
having a library of encryption algorithms, the second cryptographic service module 
electronically communicating and cooperating with the kernel space level program 
interface. 
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10. A computer having an operating system, the operating system 
including an application space and a kernel space, which comprises: 

at least one security enabled kernel engine situated in the kernel space 
of the operating system; 

cryptographic service software, the cryptographic service software 
being situated at least in the kernel space of the operating system, the cryptographic 
service software including at least one program interface electronically 
communicating with the at least security enabled kernel engine, and at least one 
cryptographic service module electronically communicating with the at least one 
program interface, the at least one cryptographic service module including a library of 
encryption algorithms. 

11. A computer as defined by Claim 10, which further comprises: 

a cryptographic co-processor, the cryptographic co-processor including 
a memory and a second library of encryption algorithms mask-programmed into the 
memory, the co-processor electronically communicating with the at least one program 
interface of the cryptographic service software. 

12. A method of securely communicating between an application program 
and a secure kernel of an integrated circuit, the secure kernel having stored therein 
cryptographic algorithms, the integrated circuit further having a register, a command 
block memory and a kernel block memory, which comprises the steps of: 

storing in the register of the integrated circuit the address of the 
kernel block memory; 

transferring the kernel block memory address stored in the register to 
the secure kernel; 

reading by the secure kernel the contents of the kernel block memory at 
the transferred address, the contents of the kernel block memory at the 
transferred address containing at least one pointer address corresponding to a 
memory location in the command block memory; and 
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fetching by the secure kernel the contents of the memory location of 
the command block memory corresponding to the at least one pointer address, 
the contents of the memory location including at least one of a command and 
an argument. 

13. A hardware secure memory area, which comprises: 
a main communication bus; 

a plurality of secondary communication buses; 

a plurality of bus transceivers coupling the plurality of secondary 
communication buses to the main communication bus; and 

a plurality of memory circuits coupled to the plurality of 
communication buses, each bus transceiver selectively isolating a secondary 
communication bus to which the bus transceiver is associated from the main 
communication bus and selectively causing communication between the associated 
secondary communication bus and the main communication bus. 

14. A hardware secure memory area, which comprises: 
a main communication bus; 

a first bus transceiver coupled to the main communication bus; 
a second bus transceiver coupled to the main communication bus; 
a third bus transceiver coupled to the main communication bus; 
a key communication bus coupled to the first bus transceiver; 
a key cache coupled to the key communication bus for writing and 

reading keys; 

a key random access memory coupled to the key communication bus 
for writing and reading cryptographic operations and keys; 

a processor memory for writing and reading cryptographic algorithms, 
operations and keys; 

an external memory communication bus coupled to the second bus 

transceiver; 
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an external memory coupled to the external memory communication 
bus for writing and reading application programs and commands; 

a cryptographic algorithm communication bus coupled to the third bus 

transceiver; 

a scratch memory coupled to the cryptographic algorithm 
communication bus for writing and reading cryptographic calculations; and 

a memory coupled to the cryptographic algorithm communication bus 
for storing cryptographic algorithms. 

15. A hardware secure memory area, which comprises: 
a main communication bus; 

a plurality of bus transceivers coupled to the main communication bus 
for controlling access to and from the main communication bus; 

a plurality of secondary communication buses coupled to the bus 
transceivers; and 

a plurality of memory circuits coupled to the plurality of secondary 
communication buses. 

1 6. A method of expanding a protected memory area of a secure kernel 
into an unprotected memory area in an integrated circuit, which comprises the steps 
of: 

initializing the secure kernel including the step of sending thereto a 
command signal having a starting memory block address and the number of memory 
blocks to be protected; 

reading the command signal by the secure kernel; 

writing the starting memory block address and the number of memory 
blocks into a memory of the secure kernel; and 

allocating the starting memory block address and the number of 
memory blocks as protected memory. 
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17. A method of expanding a protected memory area of a secure kernel 
into an unprotected memory area in an integrated circuit, which comprises the steps 
of: 

initializing the secure kernel by a command generated by an 
application program, the command causing arguments attached to the command to be 
vectored into the secure kernel, the arguments including pointer data and the number 
of protected memory blocks requested, the pointer data containing the starting 
memory address of the protected memory requested; 

reading the arguments by the secure kernel- 
writing into a data memory reserve register a code corresponding to the 
number of memory blocks to be protected; and 

allocating the number of memory blocks requested to be protected as 
protected memory starting at the starting memory block address contained in the 
pointer data. 

18. A method of expanding a secured memory into an unprotected memory 
to define an additional secured memory area, the secured memory being expanded to 
accommodate storage of an extended code, the extended code being initially stored in 
the unprotected memory in a location which will become the additional secured 
memory area, the secured memory and the unprotected memory forming parts of an 
integrated circuit, the integrated circuit having a serial number stored in a memory 
thereof, which comprises the steps of: 

retrieving by an authorizing party the serial number stored in the 
memory of the integrated circuit and the extended code proposed to be stored in the 
requested expanded secured memory; 

verifying by the authorizing party whether the extended code is 
acceptable to be stored in the expanded secured memory of the integrated circuit; 

generating a token signal by the authorizing party and communicating 
the token signal to the integrated circuit, the token signal including at least the digital 
signature of the extended code, as computed by the authorizing party, 
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receiving the token signal by the integrated circuit and parsing the 
token signal to separate the digital signature of the authorizing party; 

verifying by the integrated circuit the digital signature of the 
authorizing party parsed from the token signal which, if verified, indicates that the 
authorizing party authorizes the expansion of the secured memory by the integrated 
circuit; and 

invoking by the integrated circuit a command to expand the secured 
memory so that the additional secured memory area now encompasses the location of 
the unprotected memory where the extended code is stored. 

19. A method of expanding a secured memory as defined by Claim 1 8, 
wherein the token signal further includes the serial number of the integrated circuit; 
and wherein the method further comprises the steps of: 

parsing by the integrated circuit from the token signal returned by the 
authorizing party the serial number of the integrated circuit; and 

verifying by the integrated circuit the serial number parsed by the 
token signal by comparing the parsed serial number with the serial number stored in 
the non-volatile memory of the integrated circuit. 

20. A method of expanding a secure kernel memory area into an 
unprotected memory, while providing security to the unprotected memory area and 
validating an extended code, the secure kernel memory and the unprotected memory 
forming part of an integrated circuit, comprising the steps of: 

reading an integrated circuit serial number; 
communicating the serial number to a manufacturer; 
loading code into a memory; 

loading a token into a memory, the token includes the ICs serial 

number; 

digitally signing the extended code by a trusted authority; 
copying the extended code into the ICs unprotected memory; 
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invoking a command to add an extension to the secure kernel memory; 
specifying which memory blocks are to be acquired from the 
unprotected memory area; 

disabling further program access to the unprotected memory area; 
verifying the digital signature computed over the extended code is 

authentic; 

locking the extended code into the protected memory area; and 
permitting the secure kernel to make calls to the protected memory 

area. 

21. A method of reconfiguring the functionality of an integrated circuit, the 
integrated circuit having a serial number stored in a memory thereof, which comprises 
the steps of: 

retrieving the serial number from the integrated circuit; 

transmitting a token request signal by the integrated circuit to an 
authorizing party, the token request signal including at least the serial number of the 
integrated circuit; 

transmitting a return token signal from the authorizing party to the 
integrated circuit, the return token signal including at least the serial number of the 
integrated circuit, a reconfiguration code to be used for reconfiguring the integrated 
circuit and a digital signature of the authorizing party; 

parsing the return token signal by the integrated circuit to extract the 
serial number, reconfiguration code and digital signature; 

verifying the serial number by the integrated circuit by comparing the 
parsed serial number from the return token signal with the serial number stored in the 
memory of the integrated circuit; 

verifying the digital signature of the authorizing party by the integrated 
circuit using a public key stored in the memory of the integrated circuit; 

storing the parsed reconfiguration code from the return token signal in 
a memory of the integrated circuit; and 
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reconfiguring the integrated circuit in accordance with the 
reconfiguration code. 

22. A method of reconfiguring the functionality of an integrated circuit, the 
integrated circuit having a serial number stored in a memory thereof, which comprises 
the steps of: 

retrieving the serial number from the integrated circuit; 

transmitting by the integrated circuit a token request signal to an 
authorizing party, the token request signal including the serial number and a 
reconfiguration code; 

transmitting a return token signal from the authorizing party to the 
integrated circuit, the return token signal including the serial number of the integrated 
circuit, the reconfiguration code and a digital signature of the authorizing party; 

parsing the return token signal by the integrated circuit to extract the 
serial number, reconfiguration code and digital signature; 

verifying the serial number by the integrated circuit by comparing the 
parsed serial number from the return token signal with the serial number stored in the 
memory of the integrated circuit; 

verifying the digital signature of the authorizing party by the integrated 
circuit using a public key stored in a memory of the integrated circuit; 

storing the reconfiguration code in a memory of the integrated circuit; 

and 

reconfiguring the integrated circuit in accordance with the 
reconfiguration code. 

23 . A method of generating a recovery key encryption key (RKEK) in a 
secure manner by an integrated circuit and a key recovery escrow agent, which 
comprises the steps of: 

generating by the integrated circuit a first number having a private 
component and a public component; 
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generating by the escrow agent a second number having a private 
component and a public component; 

providing the public component of the first number to the escrow 

agent; 

providing the public component of the second number to the integrated 

circuit; 

conducting a mathematical operation by the integrated circuit using the 
private component of the first number, and the public component of the second 
number to create the RKEK; and 

conducting a mathematical operation by the escrow agent using the 
private component of the second number, and the public component of the first 
number to create the RKEK. 



24. A method of generating a recovery key encryption key (RKEK) in a 
secure manner by an integrated circuit and a key recovery escrow agent, the integrated 
circuit having a unique serial number stored in a memory of the integrated circuit, 
which comprises the steps of: 

generating by the integrated circuit a first number having a private 
component and a public component; 

generating by the escrow agent a second number having a private 
component and a public component; 

retrieving by a third party the serial number of the integrated circuit 
and comparing the serial number with a serial number stored in a memory of the third 
party to verify the identity of the integrated circuit; 

generating by the third party a message containing at least a digital 
signature of the third party authorizing the generation of the RKEK and 
communicating the message to the integrated circuit; 

providing the public component of the second number to the integrated 

circuit; and 
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conducting a Diffie-Hellman modulo-exponentiation mathematical 
operation by the integrated circuit using the private component of the first number, 
and the public component of the second number to create the RKEK. 

25. A method of generating a recovery key encryption key (RKEK) as 
defined by Claim 24, wherein the message generated by the third party and 
communicated to the integrated circuit further includes the serial number of the 
integrated circuit, and wherein the method further comprises the step of: 

verifying by the integrated circuit the accuracy of the serial number 
included in the message by comparing the serial number of the message with the serial 
number stored in the memory of the integrated circuit. 

26. A method of generating a recovery key encryption key (RKEK) as 
defined by Claim 25, which further comprises the step of: 

verifying by the integrated circuit the accuracy of the digital signature 
of the third party contained in the method.. 

27. A method of generating a recovery key encryption key (RKEK) as 
defined by Claim 26, which further comprises the steps of: 

providing the public component of the first number to the escrow 

agent; and 

conducting a Diffie-Hellman modulo-exponentiation mathematical 
operation by the escrow agent using the private component of the second number, and 
the public component of the first number to create the RKEK. 

28. A controller circuit for switching between a user mode and a kernel 
mode in a processor comprising; 

a processor; 

a program counter electrically connected to the processor for 
monitoring program fetch addresses; 
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a kernel program fetch supervisor circuit having a predetermined 
address value stored within, electrically connected to the program counter for 
comparing the address in the program counter to the predetermined address value 
stored within; 

a program memory electrically connected to the program counter; 

a flip-flop circuit electrically connected to the kernel program fetch 
supervisor circuit for switching between setting a user mode bit and a kernel mode bit; 

a kernel data fetch supervisor circuit electrically connected to the 
processor for comparing a data fetch address to a predetermined memory address 
range; 

a data memory electrically connected to a processor data interface for 

storing data; 

a first AND circuit coupled to the flip-flop and the kernel data fetch 
supervisor circuit for activating and deactivating a violation reset; 

and a second AND circuit coupled to the first AND circuit and the 
kernel program fetch supervisor circuit for activating and deactivating the violation 
reset bit. 

29. A method of monitoring and controlling program fetch addresses and 
data fetch addresses from a processor to control access to a protected memory 
comprising the steps of: 

fetching a program opcode; 

reading a program opcode address; 

determining whether the program opcode address is fetched from one 
of a protected program memory address and an unprotected program memory address; 

resetting the processor when the program opcode is fetched from the 
protected program memory address; 

fetching a data operand when the program opcode address is fetched 
from the unprotected program memory address; 

fetching a data operand and reading the data operand address; 
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determining whether the data operand address is fetched from one of a 
protected data memory address and an unprotected data memory address; 

resetting the processor when the data operand is fetched from the 
protected data memory address; 

calling a starting address of the protected program memory when the 
data operand address is fetched from the unprotected data memory; 

fetching a second program opcode; 

reading the second program opcode address; 

determining whether the second program opcode address is fetched 
from one of a protected program memory address and an unprotected program 
memory address; 

fetching a third program opcode when the second program opcode 
address is fetched from the unprotected memory address; and 

fetching a second data operand when the second program opcode 
address is fetched from the protected memory address. 

30. A method of managing the use of keys in cryptographic co-processor, 
which comprises the steps of: 

selecting a key from one of a symmetrical key type and asymmetrical 

key type; 

selecting a bit length from the selected key; 
generating the key; and 

representing the key in one of an external form and an internal form. 
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